Over 600,000 UK Tesco Clubcard holders became victims of a cyberattack, which saw some of their Clubcard accounts compromised. Tesco stressed that customers’ financial data was not compromised and that its systems had not been hacked.
How was the Attack Conducted?
Supermarket giant, Tesco, stated that a database of stolen credentials had been used to try and penetrate its customers’ accounts. According to Tesco, these credentials were likely to have originated from past breaches on other platforms.
In such attacks, cybercriminals aim to find accounts where users have reused the same username and passwords across several accounts. Users, unfortunately, still use simple passwords and similar logon credentials for many different platforms.
“Cyber-criminals can do a lot of damage with a large breached list simply containing names and emails or other trivial data,” said Jake Moore, cyber-security specialist at Eset.
“The big risk is via brute force attacking the accounts where criminals use leaked common password combinations against the emails to try to break into other personal accounts,” he said. A brute-force attack consists of an attacker submitting many passwords with the hope of eventually guessing the password.
Tesco’s Response to the Attack
Tesco became aware of fraudulent activity on customers’ online accounts, when it was picked up by their internal systems. A Tesco spokesperson said as soon as they became aware of fraudulent activity: “…we immediately took steps to protect our customers and restrict access to their accounts.”
Tesco’s steps also included emailing any customers who had potentially been affected by the Clubcard cyberattack. Customers were asked to reset their passwords and new physical Clubcard cards were sent to customers who still used them. The emails also reassured customers that their points would not be lost and that new reward vouchers would be issued. Customers earn reward vouchers through the card’s loyalty scheme.
Tesco also reassured their customers that no financial data had been compromised and that Tesco systems had not been hacked.
How to Safeguard Accounts
To avoid becoming victims of cyberattacks, users should utilise password managers to generate and store strong, unique passwords. Another option for keeping online accounts safe, is to use two-factor authentication whenever possible.
With two-factor authentication, a text message usually sent to users’ mobiles is used as well as a password.